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Abstract 

Artin's braid groups have been recently suggested as a new source for 
public-key cryptography. In this paper we propose the first undeniable signa- 
ture schemes using the conjugacy problem and the decomposition problem in 
the braid groups which are believed to be hard problems. 
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1 Introduction 

Recently braid groups have been suggested as an alternate platform for doing public- 
key cryptography. The birthdate of braid group based cryptography can be traced 
back to the pioneering work of Anshel et al. in 1999 [2] and Ko et al. in 2000 [TKj . 
Since then, braid groups attracted the attention of many cryptographers due to the 
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fact that, they provide a rich collection of hard problems like the conjugacy problem, 
braid decomposition problem and root problem and there are efficient algorithms for 
parameter generation and group operation [4J. 

Since the construction of a Diffie-Hellman type key agreement protocol and a 
public key encryption scheme by Ko et al. in 2000 |lfij . there have been many 
attempts to design other cryptographic protocols using braid groups. Positive results 
in this direction are construction of a pseudorandom number generator by Lee et al. 
in 2001 |19j . key agreement protocols by Anshel et al. in 2001 0, an implementation 
of braid computations by Cha et al. in 2001 jl] , digital signature schemes by Ko et 
al. in 2002 jT^j, entity authentication schemes by Sibert et al. in 2002 [23] and a 
provably-secure identification scheme by Kim et al. in 2004 |14j . 

In this paper, we construct some undeniable signature schemes using braid 
groups. Digital signatures bind signers to the contents of the document they sign. 
The ability for a third party to verify the validity of a signature is usually seen as 
the basis for the non-repudiation aspect of digital signatures. The authenticity of 
a digital signature can be verified by anyone having the public key of the signer. 
However, this universal verifiability property of digital signatures is not always a 
desirable property. Such is the case of a signature binding parties to a confidential 
agreement, or of a signature on documents carrying private or personal information. 

Chaum and van Antwerpen jB] introduced the concept of undeniable signatures 
for limiting the ability of third parties to verify the validity of a signature. An 
undeniable signature, like digital signature depends on the signer's public key as 
well as on the message signed. Such signatures are characterized by the property 
that, verification can only be achieved by interacting with the legitimate signer 
through a confirmation protocol. On the other hand, the signer can prove a forgery 
by engaging in a denial protocol. If the signer does not succeed in denying (in 
particular, if it refuses to cooperate) then the signer remains legally bound to the 
signature. On the other hand the signer is protected by the fact that his signature 
cannot be verified by unauthorized third parties without his own cooperation. 

Undeniable signatures have got immense real life applications. Almost all the 
undeniable signature schemes constructed so far have been based on integer factor- 
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ization [10 1 and discrete logarithm problems [Hj, [S]- Our work is the first to present 
undeniable signature schemes based on braid groups or even in any nonabelian group 
setting. The purpose of this paper is to illustrate the construction of efficient cryp- 
tographic protocols based on hard problems in braid groups. Our schemes are based 
on the conjugacy search problem, multiple simultaneous conjugacy search problem, 
braid decomposition problem and the multiple simultaneous braid decomposition 
problem. In Section 2, we briefly review the basics of braid groups. We describe 
in Section 3 the preliminaries needed for this paper. A simple undeniable signature 
scheme and a modified one is described in Section 4. A zero-knowledge undeni- 
able signature scheme is given in Section 5. We prove the completeness, soundness 
and zero-knowledgeness (where ever applicable) of the protocols also. The paper 
concludes with some general remarks in Section 6. 



2 An Overview of Braid Groups 

In this section, we briefly describe the basics of braid groups, hard problems in 
braid groups. A good introduction to braid groups is 50] and survey articles on 
braid cryptography are [T7j, 

2.1 Geometric Interpretation of Braids 

A braid group B n is an infinite non- commutative group arising from geometric braids 
composed of n-strands. A braid is obtained by laying down a number of parallel 
strands and intertwining them so that they run in the same direction. The number of 
strands is called the braid index. Braids have the following geometric interpretation: 
an n-braid (where n G N) is a set of disjoint n strands all of which are attached 
to two horizontal bars at the top and bottom such that each strand always heads 
downwards as one moves along the strand from top to bottom. Two braids are 
equivalent if one can be deformed to the other continuously in the set of braids. 

Let B n be the set of all n-braids. B n has a natural group structure. Each B n is 
an infinite torsion-free noncommutative group and its elements are called n-braids. 
The multiplication ab of two braids a and b is the braid obtained by positioning a 
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on the top of b. The identity e is the braid consisting of n straight vertical strands 
and the inverse of a is the reflection of a with respect to a horizontal line. 

Let S n be the symmetric group on n symbols. Given a braid a, the strands 
define a map p(a) from the top set of endpoints to the bottom set of endpoints. In 
this way we get a homomorphism p : B n — > S n . 

2.2 Presentations of Braid Groups 

Any braid can be decomposed as a product of simple braids known as Artin gener- 
ators <Ji, that have a single crossing between the i th strand and the (i + l) th strand 
with the convention that the i th strand crosses under the (i + l) th strand. The 
homomorphism, p maps the generator o"j to the transposition Tj (= + 1)). 

For each integer n > 2, the n-braid group B n has the Artin presentation by 
generators <j\, 02, . . . , <r n _i with relations 

o~iO~j = OjOi, where \i — j\ > 2, and 

3 J ( 2.2.1) 

0"iCTj +1 (7i = 0- i+1 cr i cr m , for 1 < i < n - 2. 

2.3 Some Special Classes of Braids 

Let denote the submonoid of B n generated by {<Ti, . . . , er n _i}. Elements of B+ 
are called the positive braids. A positive braid is characterized by the fact that at 
each crossing the string going from left to right undercrosses the string going from 
right to left. 

A positive braid is called non-repeating if any two of its strands cross at most 
once. We denote D = D n C B+ to be the set of all non-repeating braids. To each 
7r G S n we can associate a unique a G D n in the following way : for % = 1, . . . ,n 
connect the upper z-th point to the lower 7r(z)-th point by a straight line making 
each crossing positive, i.e. the line between i and 7c(i) is under the line between j 
and 7r(j) if i < j. The following lemma says that p restricted to D n is a bijection. 

Lemma 2.1. The homomorphism p : B n — > S n restricted to D n is a bijection. 

Hence non-repeating braids are also known as permutation braids. From this 
lemma it follows that \D n \ = n\. In this way we can identify D n with S n . 
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Let LB n and RB n be two subgroups of B n consisting of braids obtained by 
braiding left |_§J strands and right n — |_§J strands, respectively. That is, 

LB n = (a u o-[f J-i)> and RB n = (°"Lf J+i> • • • > a n-i)- 

Then we have the commutativity property that for any a G LB n and /? G i?.B„, 
a/3 = /5a. These subgroups of B n are used in designing various cryptographic 
protocols. 

2.4 Canonical Decomposition of Braids 

For two words v and w in B n , we say that v < w, if w = avb for some a, 6 G -B+. 
Then < is a partial order in B n [Oj. 

The positive braid, A = (cri . . . (x n -i)((Xi . . . cr n _ 2 ) . . . (cri<72)cri is called the fun- 
damental braid. A braid satisfying e < A < A is called a canonical factor. There 
is a bijection between the set of all permutation braids and the set of all canonical 
factors 9J. Thus a canonical factor can be denoted by the corresponding permuta- 
tion 7r G S n . By 7Ta, we mean the permutation corresponding to the fundamental 
braid A. 

For a positive braid P, we say that the decomposition P = AqPq is left-weighted 
if Aq is a canonical factor, Pq > e and ylo has the maximal word length among all 
such decompositions. A left- weighted decomposition P = A P is unique jlj. A is 
called the maximal head of P. Any braid x can be uniquely decomposed as 

x = A u AiA 2 . . . Ak, where u G Z, Ai ^ e, A, is a canonical factor (2.4.1) 

and the decomposition A^A i+ i is left- weighted for each 1 < i < k — ljl]. This 
unique decomposition is called the left canonical form of x and so it solves the word 
problem. Since each canonical factor corresponds to a permutation braid, x can be 
denoted as 

x = 71^71"! 7r 2 . . . 7Tfc, where Hi ^ Identity, -kj. (2.4.2) 

Hence for implementation purposes the braid x can be represented as the tuple 
(u, 7Ti, 7r 2 , . . . , 7Tfc). The integer w, denoted by inf (x) is called the infimum of x and 
the integer w + k, denoted by sup(x) is called the supremum of x. The canonical 
length of x, denoted by len(x), is given by k = sup(x) — inf(x). 
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2.5 Hard Problems in Braid Groups 

We use the following hard problems in our signature schemes. 

1. Conjugacy Search Problem (CSP) 

Let (x,y) G B n x B n , such that y = a~ x xa, where a G B n or some subgroup 
of B n . The conjugacy search problem is to find a b such that y = b _1 xb. 

2. Multiple Simultaneous Conjugacy Search Problem (MSCSP) 

Let (xi, a _1 xia), . . . , (x r , a~ l x r a) G B n x B n for some a G B n or some subgroup 
of B n . The multiple simultaneous conjugacy problem is to find a 6 such that, 
b~ l Xib = a^Xia, . . . , b~ x x, t b = a _1 :r r a. 

3. Braid Decomposition Problem (BDP) 

Let (x,y) E B n x B n , where y = aixa 2 for some (ai,a 2 ) G L£> n x LB n . The 
&raz<i decomposition problem is to find a pair (bi,b 2 ) G x L_B n such that 
V = b x xb 2 . 

4. Multiple Simultaneous Braid Decomposition Problem (MSBDP) 

Let (xi,aiXia 2 ), ■ ■ ■ , (x r ,aix r a 2 ) G B n x B n for some (ai,a 2 ) G L_B n x L5 n . 
The multiple simultaneous braid decomposition problem is to find a pair b 2 ) G 
L5 n x L5 n such that, b\X\b 2 = a±xia 2 , . . . , b\x r b 2 = a\x r a 2 . 

3 Preliminaries 

In this section, we describe the initial system set up, intractability assumptions, an 
assumption regarding the cardinalities of certain sets and some notation used in this 
paper are described. 

3.1 Initial Setup 

The system parameters n and / are chosen to be sufficiently large positive integers 
and are made public. Let H : {0,1}* — > B n and h : B n — > {0,l} fe be collision free 
hash functions. 
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Since the braid group B n is discrete and infinite, we cannot have a uniform 
probability distribution on B n . But there are finitely many positive n-braids with I 
canonical factors, we may consider randomness for these braids. Such a braid can 
be generated by concatenating I random canonical factors. 

We fix positive integers n, I as system parameters. Let 

B n (l) = {be B n I < inf(b) < sup(b) < I}, 
LB n (l) = {be LB n | < inf(6) < sup(6) < 1} and 
RB n (l) = {be RB n | < inf(6) < sup(6) < I}. 

Then \B n (l)\ < l(n\) 1 and so LB n (l), RB n {l) and B n (l) are finite sets. We use the 
random braid generator given in [1] (which produces random braids in 0(ln) time) 
for generating random braids. Also, we consider uniform probability distribution on 
these sets. 

By, SRBp we mean some subgroup of RB m , where p < m — [yj and 
SRB P {1) = {be SRB P | < inf(6) < sup(6) < /}. 

3.2 Notations 

We use the following notations through out this paper. 

• By a e r A, we mean a random choice of an element a from the set A. 

• By P — > V , we mean P sends Q to V. 

3.3 Intractability Assumptions 

We assume that the hard problems CSP, MSCSP, BDP, MSBDP, stated in Section 
2.5 are intractable in braid groups. 

3.4 An Assumption on the Cardinality of a Set 

We assume that for 'sufficiently large' values of n and / and random choices of 
a, (3, 7 e B n (l), ai,a2 e LB n {l) and a e RB n (l), the cardinality of the set E a (^,j) 
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defined by 

E a (P,^) = {e G RB n (l) : e~ 1 p(aiaa 2 )e = a~ 1 (3(aiaa 2 )a, e~ x ^ae ^ a~ lr yaa} 

is 'sufficiently large'. In this paper, we do not undertake any theoretical or numerical 
study to check the validity of this assumption. This assumption is rewritten below 
and will be used in the security analysis of some of our protocols. 

Assumption 3.1. Let n, I be 'sufficiently large 7 positive integers and a,(3, , ~f G r 
B n {l), ai,a 2 G r LB n {l) and a G r RB n {l). Then the cardinality of the set E a (f3, 7) is 
bounded below by a nonconstant polynomial function p(n, I) of n and I. 

4 A Simple Undeniable Signature Scheme 

This section describes a simple undeniable signature scheme based on multiple si- 
multaneous braid decomposition problem (MSBDP). 

4.1 Public and Private Keys 

The system is set up by the signer (Alice) in the following manner: Alice chooses 
random braids a G B n (l) and a,i,a 2 G LB n {l) and computes x = aiaa 2 - She sets 
her public key as (a,x) and private key as (01,02). 

We shall denote by PK the tuple (a, x) generated as above. 

4.2 Signature Generation 

Suppose that Alice wants to sign a message m. She computes S m = a 2 yai 1 , where 
y = H(m), giving the output pair (m, S m ). We denote by SIG(m), the set of valid 
signatures on m. 

4.3 The Confirmation Protocol 

Here we present a zero-knowledge confirmation protocol. It is carried out by two 
players, a prover (P) and a verifier (V). The public input to the protocol are the 
public key parameters, namely (a,x) G PK and a pair (m, S m ). For the case that 
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S m is a valid signature of m, P will be able to convince V of this fact, while if the 
signature is invalid then no prover (even a computationally unbounded one) will be 
able to convince V to the contrary except with a negligible probability. 

Signature Confirmation Protocol 

Input : Prover: Secret key a±, a 2 G LB n {l). 

Common: Public key (a,x) G PK, y and alleged S m . 

1. V chooses a G r RB n (l), computes the challenge Q = a~ l (S m x)a and V — > P. 

11 R 

2. P chooses b, c G r B n (l), computes the response R = b{a 2 Qa 2 )c and P — > V. 

3. V P. 

4. P verifies that Q = a~ 1 (S m x)a and then P V. 

5. V verifies that i? = ba^ 1 {ya)ac. If it holds then V" accepts S*™ as a valid 
signature of P. 

Theorem 4.1. Confirmation Theorem. Let (a, x) G PK. 

Completeness: Given S m G SIG(m), if P follows the signature confirmation pro- 
tocol then V always accepts S rn as a valid signature. 

Soundness: A Cheating prover P* even computationally unbounded cannot con- 
vince V to accept S m ^ SIG{m) with probability greater than 

Zero-knowledgeness: The protocol is zero-knowledge, namely on input of a mes- 
sage and its valid signature, any (possibly cheating) verifier V* interacting with the 
prover P does not learn any information aside from the validity of the signature. 

Proof. Completeness: Let S m be a valid signature. P computes 

R = b(a 2 ~ 1 Qa 2 ~ 1 )c = b(a 2 1 aT 1 (5 m x)aa^" 1 )c = ba~ 1 {ya)ac. 

which V verifies after getting (6, c) from P and accepts the signature as valid. Hence 
the protocol is complete. 

Soundness: By Assumption 3.1, there are at least p(n,l) choices for a G RB n (l), 
which give the same value of Q but giving different values of R. Hence it is infeasible 
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for a cheating prover P* to distinguish between these different values of a, even if 
he has infinite computational power. Therefore a cheating prover P*, even compu- 
tationally unbounded, cannot convince V to accept S m ^ SIG(m) with probability 
greater than ^ry- Thus the protocol is sound. 

Zero-knowledgeness: There are two difficulties in the analysis here. Since B n is 
an infinite discrete group, we can not have a uniform probability distribution on B n . 
Also, for the implementation purpose we need to restrict to a finite subset B n (l) of 
B n . Unfortunately B n has no finite nontrivial subgroup. So at some computational 
stages in the protocol, the elements may fall out of B n {l). Hence we only give a 
sketch of the proof here. 

For the ease of analysis let us assume that at Step 2, P chooses (6, c) G r B% 
and computes R G B n . So, we can treat R as a random element of B n . Also since 
\B n (l)\ > (L^irJD' CH]; any random choice of (b, c) G B n (l) 2 by P in practice makes 
the response R to appear as a random element. Hence the protocol can be treated 
as zero-knowledgeable. □ 

4.4 Signature Denial Protocol 

The public input to the protocol are the public key parameters, namely (a, x) G PK 
and a pair (m,S m ). In the case that S m ^ SIG(m), P will be able to convince 
V of this fact, while if S m G SIG(m) then no prover (even a computationally 
unbounded) will be able to convince V that the signature is invalid except with 
negligible probability. 

Let SRB ni and SRB m be two subgroups of RB n consisting of braids obtained by 
braiding left n\ strands and right n-i strands, respectively (where ni + n 2 = n— |_| J). 
Then we have the commutativity property that for any a G SRB ni and r G SRB n2 , 

OT = TO . 

The Denial Protocol 

Input : Prover: Secret key ai,a 2 G LB n (l). 

Common: Public key (a,x) G PK, y and alleged S m . 
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1. V chooses a G r SRB ni (l), b G r SRB Tl2 (l), computes Q\ = a 1 5* iyi x ex . 
Q 2 = b- l S m xb and V (Q ^ 2) P. 

2. P computes the responses R\ = a^Qia^ 1 , R2 = a 2 x Q 2 a 2 x and P — V. 

3. V verifies b~ l R\b = a~ 1 R 2 a. If equality holds V accepts S m as an invalid 
signature, else P is answering improperly. 

Theorem 4.2. Denial Theorem Let (a,x) G PK 

Completeness: Suppose that S rn £ SIG(m). If P and V follow the protocol, then 
V always accepts that S m is not a valid signature of m. 

Soundness: Suppose that S m G SIG(m). Then a cheating prover, even computa- 
tionally unbounded, cannot convince V to reject the signature with probability greater 
than -An- 

p(n,l) 

Proof. Completeness: Assume that S m SIG(m). We have, 
Ri = a 2 1 a^ 1 S m xaa 2 1 = a~ l a 2 l S m aiaa and 
R 2 = aj Smxba^ 1 = 6 -1 aJ 1 5' m aiQ!6. 

As ab = ba, we get, 

b~ l Rib = a~ l R 2 a = a~ l b~ l (a 2 S m aia)ba. 
Hence the protocol is complete. 

Soundness: Assume that S m G SIG(m). Let R\ and R 2 be the responses given by 
P* in the protocol. Let if possible, 6 _1 i?i6 = a _1 i? 2 a. Then 

R 2 = aib^R^a- 1 = af3a~\ where (3 = b~ l Rib. 

In the worst case, we may regard (3 as a known constant for P when he tries to 
determine R 2 . But then the ability to determine R 2 amounts to the establishment of 
an invalid signature, which contradicts Theorem 4.1 (soundness of the confirmation 
protocol). Hence the protocol is sound. □ 

4.5 A Blackmailing Attack 

In this subsection, we show that any non zero-knowledge version of the confirmation 
protocol is susceptible to a blackmailing attack. That is, if the prover does not 
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check the challenge Q of the verifier, he is susceptible to a black mailing attack. 
This type of attack for the discrete logarithm based undeniable signature schemes 
was suggested by M. Jakobsson [T2]. M. Jakobsson noted that the protocol in [S] 
has the following weakness that Alice proving the correctness of her signatures never 
knows what signature is being verified. Using these weaknesses of the undeniable 
signatures he showed that how an adversary can blackmail a signer. 

For illustrating this attack in our case, we consider the following non-zero knowl- 
edge version of the confirmation protocol given in Section 4.3. 

Signature Confirmation Protocol 

Input : Prover: Secret key ai,a 2 G LB n {l). 

Common: Public key (a,x) G PK, y and alleged S m . 

1. V chooses a G r RB n (l), computes the challenge Q = a~ 1 (S m x)a and V — > P. 

it Ft 

2. P computes the response R = Qa 2 and P —> V. 

3. V verifies that R = a _1 (ya;)a. If it holds, V accepts S m as a valid signature 
of P. 

Now, suppose that Eve has found out that (m, S m ) belongs to Alice (Eve might be 
Bob itself). Now we will show, how Eve can convince k entities E\, E 2 , . . . , E% that 
the signature pair belongs to Alice. 

Let SRB no , SRB ni , . . . , SRB nk be k + 1 subgroups of the n- braid group RB n , 
where n— |_|J = n +ni+. . .+nk, for some appropriate positive integers no, ni, . . . , nk- 
Each SRB n . is the subgroup of RB n consisting of braids made by braiding n^-strands 
from the left among n— strands with the order no, n\, . . . , n^. Let n_i = 1. Then 
for i = 0, 1, . . . , k, 

i-l 

SRB ni = (a k+1 , a k+2 , (Tk+m-i), where k = [-\ + ^n-j 

j=0 

and we have the mutual commutativity property that for any a,i G SRB Ui and 
aj G SRB n . with i ^ j, a^aj = Oj-aj. 
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The Protocol 

1. Eve asks each {Ei}^ =1 to choose secret braids a« G SRB rH {l) . 

2. Eve chooses a secret braid a e RB no (l) and computes Qo = a o 1 S m xao. 

3. ^ E l ^ E 2 . Q -^l E k ^ Eve, where = a" 1 ^^, 
for i = 1, . . . fc. 

4. e convinces A/ice to engage in a confirmation protocol for a message pair 
(m, S 1 ™). 

5. -Ef e Alice. 

6. A/ice computes the response R = a^Q^a^ 1 and Alice —> Eve. 

7. Eve ^t^ 71 ^ Ei, for i = 1, ... k. 

8. Ei^Eve, ioii = l,...k. 

k 

9. -Ef e computes a = Yl a % an d Eve — > Ei, for i — 1, ... A;. 

i=0 

10. Each checks whether Qfc and R = a 1 yaa. If it holds they will 

be convinced that Alice signed the message m. 

Theorem 4.3. If Eve sends out (a, R,Qk,m) to {£ , ,}f =l7 each one of them will be 
able to convince himself that the signature belongs to Alice. 

Proof. By Assumption 3.1, it follows that Eve can not get {ai}f =1 from Qk before 
committing (Q k ,R,m) to {Ej}^ =1 , since each is a random braid chosen and kept 
secret by E^. By checking Q k — Qj S m XCL) each Ei will be convinced that Eve has not 
cheated them by forming the challenge Qo corresponding to some other signer. □ 

4.6 Blinding 

The above signature scheme is a deterministic signature scheme whose security is 
based on the hardness of MSBDP. MSBDP may become easier as the number of 
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available braid pairs increases. In our case, the parameter r in MSBDP is the num- 
ber of messages signed. So to make the scheme more secure, we may modify the 
scheme by blinding the signatures using random braids. The modified scheme can 
be described as follows. 

Signature Generation 

To generate a signature on a message m the signer proceeds in the following way. 

1. Signer chooses r G r LB n (l). 

2. Computes S m = ra 2 yai 1 , where y = H{m). 

3. Outputs the signature (m,S m ). 

The confirmation and denial protocols are exactly similar to the protocols given in 
the earlier case. A non zero-knowledge version of the confirmation protocol is given 
below for an illustration. 

The Confirmation Protocol 

Input : Prover: Secret key ai,a2 G LB n (l), and blinding factor r G r LB n (l). 
Common: Public key (a,x) G PK, y, and alleged S m . 

1. V chooses a G RB n (l) computes the challenge Q = and V — > P. 

2. P computes the response R = aj 1 r -1 (5aj 1 and P —>V. 

3. V verifies that R = a _1 yaa. If equality holds then V accepts S m as the 
signature of P. 

Remark 4.1. We can easily see that the confirmation theorem and the denial the- 
orem hold in this case also. 
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5 A Zero-knowledge Undeniable Signature Scheme 

In this section, we describe an undeniable signature scheme in which the denial 
protocol is also zero-knowledge. 

5.1 Public and Private Keys 

The system is set up by the signer (Alice) in the following manner: Alice chooses 
a G r B n {l) and ai,a 2 G r LB n (l) and computes x = a\aa 2 . She sets her public key 
as (a,x) and the private key as (ai,a 2 ). 

We shall denote by PK, the tuples (a,x) generated as above. 

5.2 Signature Generation 

Suppose that Alice wants to sign a message m. She computes S m = aiya^ 1 , where 
y = H(m), giving the output pair (m, S m ). 

We denote by SIG(m), the set of valid signatures on m. 

5.3 The Confirmation Protocol 

The confirmation protocol in this case is exactly similar to the protocol given in 
Section 4.3. 

5.4 Denial Protocol 

Here we describe a zero-knowledge denial protocol. The public input to the protocol 
are the public key parameters, namely (a,x) G PK and a pair (m, S m ). 

In this protocol, we use a zero-knowledge commitment function called blob. 
blob(r, t) perfectly hides the value of t as long as r is secret and once the value 
of r is revealed one can open the blob and get the value of t. 

Signature Denial Protocol 

Input : Prover : Secret key ai,a 2 G LB n {l). 

Common: Public key (a,x) G PK, y and alleged S m . 
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1. V chooses a G r RB n (l) and t e r {1, 2, . . . , k}, computes 
Q = (yta^aa, S^a^xa) = (Qi, Q 2 ) and V % P. 

2. P computes £ by trial and error using Q 2 / 'a\Q\a 2 = (S m / . 
Also, P chooses r randomly and P y_ 

3. V ^ P. 

4. P checks the value of Q using a and then P A V. 

5. V opens the blob using the value of r and checks the value of t. If the value of 
t committed by P is correct, then V accepts that S m is not a valid signature 
of P. 

Remark 5.1. The value of k in Step 1 above depends on the computing power of 
the prover and the verifier. If the prover has low computing power, the value of k 
can be chosen to be small but then the protocol needs to be repeated. 

Theorem 5.1. Denial Theorem Let (a,x) € PK. 

Completeness: If S m SIG{m) and if P and V follow the protocol, then V always 
accepts that S m is not a valid signature of m. 

Soundness: Assuming that S m G SIG{m), then a cheating prover, even compu- 
tationally unbounded, can not convince V to reject S rn with probability greater than 
l/k. 

Zero-knowledgeness: The protocol is zero-knowledge, namely, on input of a mes- 
sage and a non valid signature, any (possibly cheating) verifier V* interacting with 
the prover P does not learn any information aside from the fact that S m is in fact 
not a valid signature for the message m. 

Proof. Completeness: Upon receiving Q from V, P computes 

Q2/aiQid2 = ((S m ) t a~ 1 xa)/(a 1 y t a± 1 )(a 1 a~ 1 aaa 2 ) 
= ((S m ) t a~ 1 xa)/(aiy t a± 1 )( y a~ 1 xa) 

= {S m l aiyar 1 )* ± e - 

Since (Q 2 / 'aiQia 2 ) and (Sm/aiya^ 1 ) are known to P, P can compute the value of t 
by trial and error as the value of t is small. 
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Soundness: a hides t in the challenge Q. Since the value committed to by the 
blob cannot be changed, P's best strategy is to guess the value of t, and there are 
k choices for t. Hence the protocol is sound. 

Zero-knowledgeness: This follows immediately from the zero-knowledge commit- 
ment of the blob. □ 

Remark 5.2. The above signature scheme is a deterministic signature scheme whose 
security is based on the hardness of MSCSP. As in the case of MSBDP, MSCSP 
may become easier as the number of available conjugate pairs increases. Hence the 
scheme may be made more secure by blinding the signatures using random braids as 
described in Section 4- 



6 Concluding Remarks 

In this paper, we constructed some undeniable signature schemes using braid groups. 
Some of these schemes enjoy the zero-knowledge property. We used braid groups 
for the first time for designing undeniable signatures. The security of our schemes 
are based on the hardness of CSP, MSCSP, BDP and MSBDP. One can also explore 
the possibility of employing other hard problems for designing these protocols. 

In Step 1 of the confirmation protocol given in Section 4.3, V may compute 
the challenge Q as aS m xb or a~ 1 S m ab~ 1 xb or aS m bxc instead of where 
a,b,c G RB n {l). The advantage with this modification is that there can be more 
choices, for a,b,c G RB n {l) which give the same value of Q but giving different 
values of R. This makes the task of a cheating prover P* to guess the value of R 
harder, which in turn makes the probability for a cheating prover P* to convince V 
to accept S m £ SIG(m) smaller. The denial protocol given in Section 4.4 can also 
be similarly modified. 

In this paper we have not carried out any investigation regarding the validity 
of the Assumption 3.1. We leave this problem for future investigation. Getting 
a theoretical justification for this assumption appears to be too hard. However, 
numerical experiments might throw some light on this assumption. 

There are many desirable features for a good undeniable signatures like con- 
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vertibility (the possibility to transform undeniable signatures into regular ones), 
delegation (enabling selected third parties to confirm/deny signatures but not to 
sign). We have not considered these problems in this paper. Hence we hope that 
this study will motivate further research on digital signature schemes based on braid 
group as well as other nonabelian groups. 

The birth of braid cryptography has stimulated the search for other exotic math- 
ematical structures for doing public-key cryptography. The public-key cryptography 
has been treated under the head of number theory and finite fields only. With the 
birth of braid cryptography a broader perspective on public-key cryptography has 
emerged. People have started looking at other nonabelian groups [2S] , [21] , [20] , \U\ 
and combinatorial groups [22], [21] for building public- key cryptosystems. Hence 
we hope that this study will further stimulate the search for other mathematical 
structures as a better alternative to the number theoretic and discrete log based 
cryptosystems. 
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